{
  "threat_severity" : "Important",
  "public_date" : "2018-06-20T10:00:00Z",
  "bugzilla" : {
    "description" : "glusterfs: access trusted peer group via remote-host command",
    "id" : "1582043",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1582043"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-287",
  "details" : [ "glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.", "A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes." ],
  "statement" : "Red Hat Enterprise Linux 6, 7 are not affected by this flaw as it only affects glusterfs-server package. Red Hat Virtualization Hypervisor is not impacted by this flaw, as it uses gluster in a controlled manner via vdsm.",
  "affected_release" : [ {
    "product_name" : "Native Client for RHEL 6 for Red Hat Storage",
    "release_date" : "2018-06-20T00:00:00Z",
    "advisory" : "RHSA-2018:1955",
    "cpe" : "cpe:/a:redhat:storage:3:client:el6",
    "package" : "glusterfs-0:3.8.4-54.11.el6"
  }, {
    "product_name" : "Native Client for RHEL 7 for Red Hat Storage",
    "release_date" : "2018-06-20T00:00:00Z",
    "advisory" : "RHSA-2018:1954",
    "cpe" : "cpe:/a:redhat:storage:3:client:el7",
    "package" : "glusterfs-0:3.8.4-54.10.el7"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.3 for RHEL 6",
    "release_date" : "2018-06-20T00:00:00Z",
    "advisory" : "RHSA-2018:1955",
    "cpe" : "cpe:/a:redhat:storage:3.3:server:el6",
    "package" : "glusterfs-0:3.8.4-54.11.el6rhs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.3 for RHEL 7",
    "release_date" : "2018-06-20T00:00:00Z",
    "advisory" : "RHSA-2018:1954",
    "cpe" : "cpe:/a:redhat:storage:3.3:server:el7",
    "package" : "glusterfs-0:3.8.4-54.10.el7rhgs"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2018-06-20T00:00:00Z",
    "advisory" : "RHSA-2018:1954",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "glusterfs-0:3.8.4-54.10.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "glusterfs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "glusterfs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "redhat-virtualization-host",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-10841\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-10841" ],
  "name" : "CVE-2018-10841",
  "csaw" : false
}